Veritas NetBackup102 Sheltered Harbor Solution Guide

Veritas Solution Guide for
Sheltered Harbor
NetBackup 10.2
Veritas Sheltered Harbor Solution Guide
Last updated: 2023-03-27
Legal Notice
Copyright © 2023 Veritas Technologies LLC. All rights reserved.
Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas
Technologies LLC or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.
This product may contain third-party software for which Veritas is required to provide attribution
to the third party (“Third-party Programs”). Some of the Third-party Programs are available
under open source or free software licenses. The License Agreement accompanying the
Software does not alter any rights or obligations you may have under those open source or
free software licenses. Refer to the Third-party Legal Notices document accompanying this
Veritas product or available at:
https://www.veritas.com/about/legal/license-agreements
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Veritas Technologies
LLC and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED

CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Veritas Technologies LLC SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq.
"Commercial Computer Software and Commercial Computer Software Documentation," as
applicable, and any successor regulations, whether delivered by Veritas as on premises or
hosted services. Any use, modification, reproduction release, performance, display or disclosure
of the Licensed Software and Documentation by the U.S. Government shall be solely in
accordance with the terms of this Agreement.
Veritas Technologies LLC

2625 Augustine Drive
Santa Clara, CA 95054
http://www.veritas.com
Technical Support
Technical Support maintains support centers globally. All support services will be delivered
in accordance with your support agreement and the then-current enterprise technical support
policies. For information about our support offerings and how to contact Technical Support,
visit our website:
https://www.veritas.com/support
You can manage your Veritas account information at the following URL:
https://my.veritas.com
If you have questions regarding an existing support agreement, please email the support
agreement administration team for your region as follows:
Worldwide (except Japan) CustomerCare@veritas.com
Japan CustomerCare_Japan@veritas.com
Documentation
Make sure that you have the current version of the documentation. Each document displays
the date of the last update on page 2. The latest documentation is available on the Veritas
website:
https://sort.veritas.com/documents
Documentation feedback
Your feedback is important to us. Suggest improvements or report errors or omissions to the
documentation. Include the document title, document version, chapter title, and section title
of the text on which you are reporting. Send feedback to:
NB.docs@veritas.com
You can also see documentation information or ask a question on the Veritas community site:
http://www.veritas.com/community/
Veritas Services and Operations Readiness Tools (SORT)

Veritas Services and Operations Readiness Tools (SORT) is a website that provides information
and tools to automate and simplify certain time-consuming administrative tasks. Depending
on the product, SORT helps you prepare for installations and upgrades, identify risks in your
datacenters, and improve operational efficiency. To see what services and tools SORT provides
for your product, see the data sheet:
https://sort.veritas.com/data/support/SORT_Data_Sheet.pdf
Contents
Chapter 1 About Veritas Sheltered Harbor solutions .................... 6

About Sheltered Harbor ................................................................... 6
AboutS heltered Harbor solutions ...................................................... 7
Data vaulting in Sheltered Harbor solutions ......................................... 8
About Veritas Alta solution for Sheltered Harbor ................................... 8
Archive data vaulting using Veritas Alta Recovery Vault for
Sheltered Harbor ............................................................... 9
Archive restoration using Veritas Alta Recovery Vault for Sheltered
Harbor ........................................................................... 10
About Veritas NetBackup for Sheltered Harbor ................................... 12
Archive data vaulting to Air-gapped Cyber Resilient Domain (CRD)
..................................................................................... 13
Archive restoration in Cyber Resilient Domain .............................. 15
Archive recovery in Cyber Resilient Domain (CRD) and restoration
in restoration environment .................................................. 17
Restore backup data using NetBackup web UI ................................... 19
Chapter 2 Prerequisites to configure Sheltered Harbor

solutions ......................................................................... 21
Common prerequisites to configure Sheltered Harbor solutions .............. 21
NetBackup installation ............................................................ 21
System requirements .............................................................. 22
Prerequisites to configure Veritas Alta solution for Sheltered Harbor
........................................................................................... 23
Prerequisites to configure NetBackup solution for Sheltered Harbor
........................................................................................... 23
Configuration of Isolated Recovery Environment (IRE) ................... 24
Configuration of Flex ............................................................... 26
Chapter 3 Veritas Sheltered Harbor solution workflow ............... 27

How to use Veritas Sheltered Harbor solutions ................................... 27
Perform data vaulting using interactive mode ............................... 28
Perform data vaulting using non-interactive mode ......................... 35
About key management services (KMS) ............................................ 40
Contents 5
About configuration recovery in NetBackup solution for Sheltered

Harbor ................................................................................. 40
Viewing operation details ............................................................... 41
Chapter 4 Glossary ............................................................................... 43
Glossary terms for Veritas Sheltered Harbor solutions .......................... 43

Chapter 1
About Veritas Sheltered
Harbor solutions
This chapter includes the following topics:
■ About Sheltered Harbor
■ AboutS heltered Harbor solutions
■ Data vaulting in Sheltered Harbor solutions
■ About Veritas Alta solution for Sheltered Harbor
■ About Veritas NetBackup for Sheltered Harbor
■ Restore backup data using NetBackup web UI
About Sheltered Harbor

Sheltered Harbor protects public confidence in the U.S. financial system if a
devastating event like a cyberattack causes an institution’s critical systems - including
backups - to fail.
The Sheltered Harbor solution is for U.S. financial institutions of all types and sizes
and is your lifeline to survival in an extreme cyber, data corruption or data deletion
event. It ensures you to remain connected with your customers and can continue
to serve them with essential services, within hours of a catastrophic event that has
caused all your critical systems - including backups - to fail. Sheltered Harbor
Specifications provide that “fail-safe”, thereby enhancing your institutions’ resilience,
reputation, and customers’ trust .
The following are the three core elements of the Sheltered Harbor solution:
■ Data Vaulting
About Veritas Sheltered Harbor solutions 7
AboutS heltered Harbor solutions
■ Resilience Planning
■ Certification
Data Vaulting
Institutions back up critical customer account data each night in the Sheltered
Harbor standard format, either managing their own vault or using their service
provider. The data vault is encrypted, unchangeable, and completely separated
from the institution’s infrastructure.
Resilience Planning
Institutions prepare the business and technical processes and key decision
arrangements to be activated in the case of a Sheltered Harbor event; where all
other options to restore critical systems - including backups - have failed. Sheltered
Harbor resilience plan enables the participating financial institution to quickly recover
the critical account data from the vault and restore two critical services: customer
access to account balance information, and access to funds against those balances.
Certification
Participating institutions adopt a robust set of Sheltered Harbor prescribed
safeguards and controls, which are independently audited for compliance with the
Sheltered Harbor standards. Upon successfully completing the requirements for
Data Vaulting, the institution will be awarded Sheltered Harbor Data Protected
certification and an accompanying seal, communicating that their customer account
data is protected. Additional certification is awarded to organizations that
demonstrate completed and tested resilience plans.
AboutS heltered Harbor solutions

Sheltered Harbor’s endorsement of a NetBackup client confirms that it meets
Sheltered Harbor’s prescribed Data Vaulting Solution Requirements and provides
a secure environment for the daily data vaulting process:
■ Immutable storage: During a cyberattack, the vault remains immutable and the
data cannot be erased or modified in any worst-case scenario.
■ Survivable vault: The vault is accessible even when the institution’s infrastructure
fails. The financial institution can retrieve the data easily and maintain continuous
access to essential processes.
■ Controlled environment: The decentralized environment secures the data from
being tampered. Data is easily accessible and is kept separate from the
institution’s infrastructure.
Data vaulting in Sheltered Harbor solutions
Consequently, institutions that implement the NetBackup client properly should be

able to achieve certification more quickly and easily.
Data vaulting in Sheltered Harbor solutions

Sheltered Harbor solution backs up the financial institution’s critical customer account
data every day in the Sheltered Harbor standard format. The Sheltered Harbor
solution is implemented in NetBackup client where daily vaulting process is run to
make the backup readily available.
The backup data is encrypted, unchangeable, and completely separated from the
institution’s infrastructure. Th Sheltered Harbor solution runs the daily vaulting
process that supports the following options that can back up the data:
■ Veritas Alta™ solution for Sheltered Harbor
See “About Veritas Alta solution for Sheltered Harbor” on page 8.
■ Veritas NetBackup™ solution for Sheltered Harbor
See “About Veritas NetBackup for Sheltered Harbor” on page 12.
About Veritas Alta solution for Sheltered Harbor

The Veritas Alta solution for Sheltered Harbor implements Sheltered Harbor
standards to run daily data vaulting process and to persist data in an immutable
cloud-based vault.
Veritas recommends the Veritas Alta Recovery Vault multi-cloud immutable storage
service with air-gapped isolation that protects data from cyber threats that is a
predictable as-a-service subscription offering. The cloud-based storage-as-a-service
provides a seamless, fully managed storage option to store critical data. The
institution data remains secure in the cloud and protected from the ransomware.
For more information, refer to the Veritas Alta Recovery Vault documentation.
Veritas Alta Recovery Vault supports the following:
■ Archive data vaulting using Veritas Alta Recovery Vault for Sheltered Harbor
See “Archive data vaulting using Veritas Alta Recovery Vault for Sheltered
Harbor” on page 9.
■ Archive restoration using Veritas Alta Recovery Vault for Sheltered Harbor
See “Archive restoration using Veritas Alta Recovery Vault for Sheltered Harbor”
on page 10.
Archive data vaulting using Veritas Alta Recovery Vault for Sheltered
Harbor
In this process, the selected data is stored on the cloud using immutable storage
and the original files are available on the source. To start the data vaulting operation,
the backup policy needs to be configured on the NetBackup primary server. When
you start the data vaulting operation, the NetBackup client software on your computer
sends the data to be backed up to the NetBackup media server. The media server
then deduplicates and writes the data to a supported immutable cloud object storage.
After the data backup is successful, the Sheltered Harbor solution sends an
attestation message to Sheltered Harbor monitoring log.
The Sheltered Harbor solution on the NetBackup client initiates the backup of
encrypted data. The following diagram depicts the process of data backup to Veritas
Alta Recovery Vault:
Figure 1-1 Archive data vaulting using Veritas Alta Recovery Vault for
Sheltered Harbor
Production Domain
Primary
Server
NetBackup Client
1 3
Bar 4
UI
Veritas Alta
Input Storage NetBackup Transfer Storage
MSDP-C Server Recovery Vault
(Data Extraction) Sheltered Harbor
Cloud Provider KMS (Archive Volumes & Secure
Solution
Envelope)
Post Processing 5
2
Private / Public Keys Sheltered Harbor
Monitoring Log
The process flow is as follows:

1 Input storage: The input storage includes manifest, account data files, and
corresponding hash files that originated from the institution. At this stage, the
input data is extracted using the Sheltered Harbor solution and is processed
further for input data validation. Here, it generates an archive volume and
encrypts it using the data encryption key. It also generates the secure envelope
that stores the cryptographic material of encryption.
2 External or cloud provider KMS: The NetBackup Sheltered Harbor solution
encrypts the input storage data using data encryption key (DEK) and this DEK
is further encrypted with the help of a configured external KMS or cloud-provider
based KMS. It ensures that the encryption or decryption keys do not leave the
KMS boundaries. If cloud KMS is not configured, you can use on-premises
KMS.
3 Transfer storage: The input data files are compressed and encrypted to
generate encrypted archive volumes and are stored in the transfer storage.
4 Immutable cloud storage: NetBackup deduplicates and stores the encrypted
volume and secure envelope to a supported immutable cloud object storage
such as Veritas Alta Recovery Vault during the backup process. A unique
keyword is generated and is used during backup. This keyword identifies the
backup image during restore and it can be seen using --report command
option. For example, ‘SH-<random number>’ keyword is generated during
backup that is further used on the BAR UI to see the backup files.
Note: The Sheltered Harbor solution supports either VeritasAlta Recovery

Vault or an Isolated Recovery Environment (IRE) to be configured for the data
vaulting operations. Other NetBackup storage unit types are not supported.
5 Sheltered Harbor monitoring log: The Sheltered Harbor monitoring log shows
the attestation message as a proof of a successful completion of the daily data
vaulting process.
Archive restoration using Veritas Alta Recovery Vault for Sheltered

Harbor
Data restoration is carried out to restore the data if required using the restore
command option. The Sheltered Harbor solution on the NetBackup client decrypts
and restores the data. The following diagram depicts the process to restore the
data from Veritas Alta Recovery Vault.
Figure 1-2 Archive restoration using Veritas Alta Recovery Vault for
Sheltered Harbor
Production Domain
NetBackup Client
Primary
Server
Storage Medium (Hard

Disk/Pendrive)
1 2
Backup Archive Bar 4

Restore UI
UI
Veritas Alta Recovery NetBackup Restored
MSDP-C Server
Recovery Vault Storage Sheltered Harbor Data Storage
(Archive Volumes & Secure
Solution
Envelope)
Cloud Provider KMS
Private / Public Keys

1 Archive retrieval: From the NetBackup client, you need to manually restore the
backup data using NetBackup Backup Archive Restore (BAR) UI or NetBackup
web UI. You need to use the backup keyword to restore the data.
See “Restore backup data using NetBackup web UI” on page 19.
2 Data restoration: The recovery storage contains the retrieved encrypted data
files along with the secure envelope. You can use any portable medium (such
as pen drive, hard disk) to store the restored data. The portable media can be
transferred to the third-party restoration platform to restore data and services.
Note: Ensure that you specify the correct recovery storage path while you
restore the backup data files using the BAR GUI or web UI.
About Veritas NetBackup for Sheltered Harbor
3 External or cloud provider KMS: The NetBackup Sheltered Harbor solution

decrypts the data encryption key (DEK) with the help of a configured external
KMS or a cloud-provider based KMS. The DEK is further used to decrypt the
recovery storage data. It ensures that the encryption or decryption keys do not
leave the KMS boundaries. If cloud KMS is not configured, you can use
on-premises KMS.
Note: The decryption of data by the solution is required only for data recovery
and verification test, or for service restoration by a self-restorer.
4 Restored data storage: Once you perform the data restoration using the
Sheltered Harbor solution, the data files are decrypted and stored in the restored
data storage.
The data restoration using the Sheltered Harbor solution can be done on a
completely isolated NetBackup client that does not have a connectivity with a
primary server. Such isolated NetBackup client can be installed by skipping
host certificate deployment during NetBackup client install. The data restoration
needs a connectivity with KMS where envelope decryption key is stored.
Note: Ensure that you specify the correct restoration storage path while
performing the data restoration operation.

The Veritas NetBackup™ for Sheltered Harbor solution implements Sheltered
Harbor standards to run daily data vaulting process. Isolated Recovery Environment
(IRE) enables air-gapped backup copies by disabling network connectivity to a
secure copy of your critical data, providing administrators a clean set of files. This
is on demand to neutralize the impact from a ransomware attack.
The NetBackup Isolated Recovery Environment solution:
■ Ensures data is immutable and indelible – minimizing threats from both
ransomware and rogue users.
■ Detects ransomware infections within the protected data to prevent reinfection
when restoring data.
■ Enables recovery operations at scale so business services can meet service
level objectives.
■ Enables predictable recovery processes that can be rehearsed to on-premises

or cloud infrastructure.
Veritas NetBackup™ for Sheltered Harbor supports the following:
■ Archive data vaulting to Air-gapped Cyber Resilient Domain (CRD)
■ Archive restoration in Cyber Resilient Domain (CRD)
■ Archive recovery in Cyber Resilient Domain (CRD) and restoration in restoration
environment
Archive data vaulting to Air-gapped Cyber Resilient Domain (CRD)

In this process, the selected data is backed up and replicated to Cyber Resilient
Domain (CRD) and leaves the original files on the source. To start the data vaulting
operation, the backup policy that uses storage lifecycle policy (SLP) with IRE capable
storage unit, needs to be configured on the production NetBackup primary server.
When you start the data vaulting operation, the NetBackup client software on your
computer sends the data to be backed up to the NetBackup media server that runs
in the production domain. That media server then replicates it to media server that
runs in CRD domain and subsequently it is imported in CRD NetBackup primary
server. This process ensure that a copy is created on immutable storage that is
present in the CRD domain and is completely isolated from the production domain.
After a copy of the data is created in the immutable storage, the Sheltered Harbor
solution sends an attestation message to the Sheltered Harbor monitoring log.
Note: Sheltered Harbor solution requires outbound connections to be open from

CRD primary server to production primary server so that import notification works.
Import notification is sent to the production domain that indicates that the copy of
SLP images is completed in the CRD domain.
The Sheltered Harbor solution on the NetBackup client initiates the backup of
encrypted data. The following diagram depicts the process of data vaulting to CRD
domain:
Figure 1-3 Data vaulting using Veritas NetBackup for Sheltered Harbor
Cyber Resillient
Production Domain Domain (CRD)
Primary
Primary Server
Server
NetBackup Client
6
1 Ba 3
r
Input Storage UI
NetBackup
Transfer Storage MSDP Storage
(Data Extraction) MSDP Immutable
Sheltered Harbor 5
Solution 4 storage
Cloud Provider
KMS
Post
2 Processing 7 Sheltered Harbor
Private /
Public Keys Monitoring Log

1 Input storage: The input storage includes manifest, account data files, and
corresponding hash files that originated from the institution. At this stage, the
input data is extracted using the Sheltered Harbor solution and is processed
further for input data validation.
Here, it generates an archive volume and encrypts it using the data encryption
key. It also generates the secure envelope that stores the cryptographic material
of encryption.
2 External or cloud provider KMS: The Sheltered Harbor solution encrypts the
input storage data using data encryption key (DEK) and this DEK is further
encrypted with the help of a configured premises KMS. It ensures that the
encryption/decryption keys do not leave the KMS boundaries. If cloud KMS is
not configured, you can use on-premises KMS.
3 Transfer storage: The input data files are compressed and encrypted to
generate encrypted archive volumes and are stored in the transfer storage.
4 Backup in production domain: The encrypted archive volumes along with secure
envelope get backed up on a production MSDP storage unit first. A unique
keyword is generated and is used during backup. This keyword identifies the
backup image during restore and it can be seen using –-report command
option. For example, ‘SH-<random number>’ keyword is generated during
backup that is further used on the BAR UI to see the backup files.
Note: The Backup operation runs successfully without configuring IRE import
notification.
5 Air gap: The air gap restricts network access to data stored on MSDP server
running in CRD domain except during time-frame when replication occurs from
production MSDP to CRD MSDP server. Once the encrypted archive volumes
along with secure envelope get backed up in production domain, NetBackup
initiates replication of that backup image only when logical air gap is closed.
6 Import in CRD domain: Once the image is replicated to CRD domain, the import
operation imports the image in CRD domain ensuring that a copy of encrypted
archive volumes and secure envelope, is made on immutable storage in CRD
domain. After successful import, a notification is sent to Production Primary
server.
7 Sheltered Harbor monitoring log: The Sheltered Harbor solution keeps polling
for import notification from CRD domain. Once it receives that an attestation
message as a proof of a successful completion of the daily data vaulting process
is sent to Sheltered Harbor monitoring Log.
Archive restoration in Cyber Resilient Domain

Data restoration is carried out to restore the data if required using the restore
command option. The Sheltered Harbor solution on the NetBackup client decrypts
and restores the data.
The following diagram depicts the process to restore the data using Veritas
NetBackup for Sheltered Harbor solution in CRD domain.
Figure 1-4 Archive restoration in Cyber Resilient Domain

CRD domain
NetBackup Client
Primary
Server
Recovery
Storage Medium (Hard
Disk/Pendrive) Storage Medium (Hard domain
1 Disk/Pendrive)
Backup Archive
Restore UI
Institution
Recovery Restored 5
MSDP-C Server Storage NetBackup Data Storage
(Archive Volumes Sheltered
& Secure 2 Harbor 4
Envelope) Solution
Cloud
Provider KMS
Private /
Public Keys

backup data using NetBackup Backup Archive Restore UI (BAR GUI) or
NetBackup Web UI. While restoring, you need to use the backup keyword to
restore the data.
Note: Make sure that the recovery storage path should be empty while restoring
the backup data files because the data files cannot be overwritten.
2 Recovery storage: It contains the recovered encrypted data files along with
the secure envelope. You can use any portable medium (such as Pen drive,
hard disk) to store the recovered data.
Note: Make sure that you specify the correct recovery storage path while
restoring the backup data files. Use the NetBackup Backup Archive Restore
UI to restore the data.
3 External or cloud provider KMS: The Sheltered Harbor solution decrypts the
data encryption key (DEK) with the help of a configured KMS. The DEK is
further used to decrypt the recovery storage data. It ensures that the
4 Restored data storage: Once you perform the data restoration using the
Sheltered Harbor solution, the data files are decrypted and stored in the restored
data storage.
The data restoration using Sheltered Harbor solution can be done on a
5 Recovery domain: Once the files are stored in the restored data storage, you
can transfer the data to recovery domain by using any portable medium (such
as Pen drive, hard disk).
Archive recovery in Cyber Resilient Domain (CRD) and restoration

in restoration environment
Here the archived volumes are recovered in CRD domain and data restoration is
carried out in Recovery domain using the restore command option. The Sheltered
Harbor solution on the NetBackup client decrypts and restores the data.
The following diagram depicts the process to recover the data in CRD domain and
restore it in Recovery domain using Veritas NetBackup for Sheltered Harbor solution.
Figure 1-5 Archive recovery in Cyber Resilient Domain (CRD) and restoration
in restoration environment
CRD domain Recovery domain
Primary
Server NetBackup Client
3
Storage Medium 4 5
1 2 (Hard Disk/Pendrive)
Backup Archive Bar

Restore UI
UI
MSDP-C Server Recovery NetBackup Restored
(Archive Volumes & Storage Sheltered storage
Secure Envelope) Harbor
Solution
Cloud-prpvider
KMS
Private / Public
Keys

backup data using NetBackup Backup Archive Restore UI (BAR GUI) or
NetBackup Web UI in the CRD domain. While recovering, you need to use the
backup keyword to recover the data.
2 Recovery storage: It contains the recovered encrypted data files along with
the secure envelope. You can use any portable medium (such as Pen drive,
hard disk) to store the restored data.
Note: Make sure that you specify the correct recovery storage path while
recovering the backup data files. Use the NetBackup Backup Archive Restore
UI to recover the data or NetBackup web UI.
3 Data transfer: Use any portable medium (such as Pen drive, hard disk) to
transfer the encrypted data files to the Recovery domain to initiate data
decryption by using Sheltered Harbor solution.
Restore backup data using NetBackup web UI
4 External or cloud provider KMS : The Sheltered Harbor solution decrypts the
data encryption key (DEK) with the help of a configured KMS. The DEK is
further used to decrypt the recovery storage data. It ensures that the
5 Restored data storage: Once the recovered data available in Restoration
environment, the Sheltered Harbor solution is run to perform the data restoration
which decrypts archived volumes and extract data files and store in the restored
data storage.
The data restoration using Sheltered Harbor solution can be done on a

Use the following procedures to restore the backup data using NetBackup web UI:
To restore the backup data
1 Log into NetBackup web UI. See Sign in to the NetBackup web UI for more
information.
2 On the left, click Recovery.
3 Under Regular recovery, click Start recovery.
4 Select the following properties:
■ Source client
The client that performed the backup.
■ Destination client
The client to which you want to restore the backup.
■ Policy type
Note: For UNIX, use the standard policy type. For Windows, use the
MS-Windows policy type.
■ Restore type
You need to use normal backups type.
5 Click Next.
6 Select the Start date and End date.
7 Select Backup Keyword that was used during backup. You can run the
--report command option to see the keyword.
8 Select the files that needs to be restored using the file explorer.
Note: All the files in the image need to be selected for restore. If they are not
selected, the Sheltered Harbor solution does not recover the files.
9 Click Next.
10 Select Restore target options as required. If Restore everything to a
different location is selected, then provide the directory used as Recovery
storage path for Sheltered Harbor solution.
11 Click Next.
12 Review the recovery settings and then click Start recovery.
Chapter 2
Prerequisites to configure
Sheltered Harbor solutions
■ Common prerequisites to configure Sheltered Harbor solutions
■ Prerequisites to configure Veritas Alta solution for Sheltered Harbor
■ Prerequisites to configure NetBackup solution for Sheltered Harbor
Common prerequisites to configure Sheltered

Harbor solutions
Review the given prerequisites that are applicable for both Sheltered Harbor
solutions.
NetBackup installation
The NetBackup Sheltered Harbor solution is available on all NetBackup server
platforms.
The following are the steps to install NetBackup primary server, media server, and
client.
Table 2-1 Installation Overview
Step Description
Step 1 Install the NetBackup primary server software on your system.
See NetBackup Installation Guide.

Prerequisites to configure Sheltered Harbor solutions 22
Common prerequisites to configure Sheltered Harbor solutions
Table 2-1 Installation Overview (continued)
Step Description
Step 2 Install the NetBackup media server software on your system.
Step 3 Install the NetBackup client software on your system.
System requirements
Review the following system requirements for the NetBackup Sheltered Harbor
solution:
■ NetBackup primary server: Version 10.2
■ NetBackup media server: Version 10.2
■ NetBackup client: Version 10.2
Note: NetBackup version 10.2 is highly recommended for NetBackup primary,

media server, and client roles. Limited NetBackup deployment types for BYO and
Flex Appliance are supported using version 10.1
KMS: Use either of the following KMS services:

■ Cloud KMS (CKMS): Azure key vault based external KMS solutions is supported.
■ On-premises KMS (EKMS): See External KMS - Considerations in the Encryption
and Security Solutions section for more information.
Note: NetBackup KMS cannot be used for the Sheltered Harbor solution
configuration.
Note: CRL downloading is not allowed on NetBackup client by default, hence one
should enable it by setting ALLOW_SH_EKMS_CRL_DOWNLOAD config flag to
1 to make SSL connection to an external KMS server (default value is 0).
Immutable cloud storage: An immutable cloud storage provider is required to support

Sheltered Harbor specific standards. See cloud storage vendor compatibility list
with either of these two designations.
■ S3 Object Lock: Yes
Prerequisites to configure Veritas Alta solution for Sheltered Harbor
■ Object Lock (Immutable storage): Yes

Operating system: For information on the operating system requirements for the
NetBackup primary server, media server and client, see Veritas NetBackup
Compatibility List.
Prerequisites to configure Veritas Alta solution

for Sheltered Harbor
To configure Veritas Alta Recovery Vault and create a policy, do the following:
Table 2-2 Configuration Overview
Step Description
Step 1 To configure Veritas Alta Recovery Vault (formerly known as NetBackup

Recovery Vault), see Veritas Alta Recovery Vault Deployment Guide.
Step 2 To create a policy, see the Creating backup policies chapter in NetBackup
Administrator’s Guide, Volume 1.
While creating the policy, you must select the user backup schedule to configure
the policy. For the NetBackup Sheltered Harbor solution, the retention period
must be greater than 2 days.
Note: Ensure that the client host name used in backup policy is exactly same
as CLIENT_NAME field in client's NetBackup configuration.
Note: You must get the license from the Sheltered Harbor before configuring the
NetBackup Sheltered Harbor solution and make sure to renew the license before
it expires.
Prerequisites to configure NetBackup solution for

Sheltered Harbor
To configure Veritas NetBackup for Sheltered Harbor solution, do the following:
Table 2-3 Configuration Overview
Step Description
Step 1 To configure Auto Image Replication (A.I.R.), see About Auto Image
Replication (A.I.R.).
Step 2 To configure Isolated Recovery Environment (IRE), see Configuring isolated

recovery environment (IRE).
Step 3 To configure the Isolated recovery Environment (IRE) for Sheltered Harbor
solution.
See “Configuration of Isolated Recovery Environment (IRE)” on page 24.
Step 4 To create a policy, see the Creating backup policies chapter in NetBackup
Administrator’s Guide, Volume 1.
While creating the policy, you must select the user backup schedule to
configure the policy. For the NetBackup Sheltered Harbor solution, the
retention period must be greater than 2 days.
Note: Ensure that the client host name used in backup policy is exactly
same as CLIENT_NAME field in client's NetBackup configuration.
Configuration of Isolated Recovery Environment (IRE)

To configure the IRE for Sheltered Harbor solution, do the following:
To configuring IRE
■ On UNIX systems, the directory path to the following commands is
/usr/openv/netbackup/bin/admincmd
■ On Windows systems, the directory path to following commands is

install_path\NetBackup\bin\admincmd
1 Set SLP lifecycle parameter SLP.ENABLE_IMPORT_CONFIRMATION = 1 in

Production and IRE domain. Use the following command:
# bpsetconfig
bpsetconfig> SLP.ENABLE_IMPORT_CONFIRMATION = 1
2 Add IRE primary server as Trusted Master in production primary. Use the
following command:
# bpsetconfig
bpsetconfig> TRUSTED_MASTER = <IRE primary server name>
3 Update remote primary server version of IRE primary in production domain.

Use the following command:
# nbemmcmd -updatehost -machinename <IRE primary server name>
-machinetype remote_primary -netbackupversion <NetBackup version>
4 Add production primary server as remote primary server in IRE domain. Use
the following command:
# nbemmcmd -addhost -machinename <Production primary server name>
-machinetype remote_primary -netbackupversion <NetBackup version>
-operatingsystem <OS name>
■ On UNIX systems, the directory path to the following commands is

usr/openv/netbackup/bin/
■ On Windows systems, the directory path to the following commands is

install_path\NetBackup\bin\
5 Deploy HostID certificate for IRE primary server from Production Primary server.
Use the following command:
# nbcertcmd -getCACertificate -server <production primary server>
# nbcertcmd -getCertificate -server <production primary server>

-token <token>
Note: If you are using ECA enroll certificate on IRE primary server then, run
the following command.
# nbcertcmd -enrollCertificate -server <production primary server>
Configuration of Flex
Veritas NetBackup solution for Sheltered Harbor is supported on Veritas Flex
Appliance 2.1 and later.
To configure Flex Appliance for Sheltered Harbor solution
1 Configure Flex Appliance. See the article.
2 Configure NetBackup primary server, media server, and WORM storage server
instance on Flex Appliance. See the article.
3 Configure Isolated Recovery Environment (IRE) on Flex Appliance. See the
article.
4 Configure IRE for Sheltered Harbor solution.
See “Configuration of Isolated Recovery Environment (IRE)” on page 24.
5 NetBackup client can be installed on a separate host and associated with the
NetBackup Flex primary server instance.
Configure the NetBackup for Sheltered Harbor solution on the same client.
Chapter 3
Veritas Sheltered Harbor
solution workflow
■ How to use Veritas Sheltered Harbor solutions
■ About key management services (KMS)
■ About configuration recovery in NetBackup solution for Sheltered Harbor
■ Viewing operation details
How to use Veritas Sheltered Harbor solutions

This section contains detailed information on how to perform the data vaulting
operation using NetBackup Sheltered Harbor solution.
To perform the configuration, registration, backup, and restore operations, use the
nbshvault command.
After you carry out the configuration, registration, backup, or restore operations,
see the following directory paths to view the logs:
Windows: NetBackup_install_path\NetBackup\logs\nbshvault
UNIX: /usr/openv/netbackup/logs/nbshvault
Note: The log directory is not created by default. To do so, you need to run the
mklogdir command on the NetBackup client.
Veritas Sheltered Harbor solution workflow 28
The nbshvault command can be executed by non-root user by running it along

with nbcmdrun command. Only non-interactive mode is supported when it is executed
using nbcmdrun command.
Following are the two methods to perform configuration, registration, backup, or
restore operations:
■ Use interactive mode
See “Perform data vaulting using interactive mode” on page 28.
Note: Use the interactive mode in case you want to run the NetBackup Sheltered
Harbor solution manually.
■ Use non-interactive mode

See “Perform data vaulting using non-interactive mode” on page 35.
Note: To perform operation using non-interactive mode, JSON files are required
to pass the input to the NetBackup Sheltered Harbor solution.
Perform data vaulting using interactive mode

Interactive mode of command lets you perform configure, backup, and restore data
operations. To perform these data vaulting operations, you need to manually enter
the values to run the Sheltered Harbor solution. Interactive mode is performed
manually and cannot be used for automated daily data vaulting process.
To understand how the data vaulting operations are performed using the interactive
mode, see the following:
Configure operation
Configuration operation is the first step to be done to configure the Sheltered Harbor
solution.
Note: Ensure that the configure and register operations are completed before you
perform the backup or restore operations.
Use the following procedures to perform the configure operation:

To configure the Sheltered Harbor solution
1 Run either of the following commands on the command prompt:
■ nbshvault --configure
■ nbshvault --configure [--config-dir config-dir-path]
If you have provided the config-dir option during configuration, you should use
the config-dir option in the command as well.
2 Enter the Institution ID.
3 Enter the following logging information about the Sheltered Harbor solution:
■ Maximum log file size (default size is 10 MB).
The Sheltered Harbor solution rotates the log when the log file size exceeds
to the maximum log file size.
■ Verbose value (default value is 2).
You need to specify the verbose value between 2 to 5 to see warning, and
critical level message in the log file. To see the debug level messages,
specify the verbose value as 6.
4 Enter the Sheltered Harbor license file path.
Note: Sheltered Harbor validates licenses of financial institutions every year.

The license file needs to be provisioned on the NetBackup client where the
Sheltered Harbor solution runs.
Note: Ensure that you have the read permissions to the license file to run the
nbshvault command.
5 Enter monitoring log type such as Live monitor or Stage monitor to send an
attestation message after successful data vaulting.
6 Select the solution type such as Veritas Alta™ Solution for Sheltered Harbor
or Veritas NetBackup™ Solution for Sheltered Harbor.
Note: Veritas Alta™ Solution for Sheltered Harbor is the default option
selected.
7 Enter the NetBackup API key path when you select the solution type as Veritas
NetBackup™ Solution for Sheltered Harbor.
For more information about NetBackup API key, see https://www.veritas.com
Note: You need to create NetBackup API key using NetBackup web UI
beforehand with the required RBAC permissions. You must add the NetBackup
API key in the text file with the following format <primary server
name>:<NetBackup API key>.
Ensure that you have the read permissions to the API key path.
8 Enter the primary server backup policy.
Note: The storage unit value in the primary server backup policy needs to be
configured with the immutable cloud storage bucket or with the storage lifecycle
policy replicating the image to IRE domain on immutable storage.
9 Enter the following details for KMIP based KMS and Azure key vault:
Select KMIP based KMS or Azure Key Vault.
For example, (KMIP, Azure).
If you enter KMIP based KMS, do the following:
■ Enter the KMS server name:
■ Enter the KMIP port [5696 is default]:
■ Enter the absolute path of certificate file:
■ Enter the absolute path of private key file:
■ Enter the absolute path of CA certificate file:
■ Enter the envelope private encryption key ID:
■ Enter the envelope public encryption key ID:
■ Enter the envelope private sign key ID:
■ Enter the envelope public sign key ID:
If you enter Azure Key Vault, do the following:
■ Enter Vault URI of Azure Key Vault:
■ Enter an authentication option for Azure Key Vault:
■ 1. Managed Identity
■ 2. Service principal with a Client Secret [1,2] : 2
■ Enter Azure client ID:

■ Enter Azure tenant ID:
■ Enter Azure Client secret path: /root/sharbor/storage/tsp/jsonf.json
■ Do you want to use online certificate status protocol (OCSP) [y,n] [n is
default]:
■ Enter Azure envelope private encryption key ID: SH
■ Enter Azure envelope public encryption key ID: SH
■ Enter Azure envelope private sign key ID: SH
■ Enter Azure envelope public sign key ID: SH
The following example shows the configuration operation:
#nbshvault --configure
This command configures Sheltered Harbor solution.
Do you want to continue ? [y,n] (y)
Enter the institution ID:
===== Logging =====
Enter the maximum log file size in MB [10 MB is default]:
Enter the verbose value [2 is default]: 5
===== Solution Type =====
Enter Sheltered Harbor solution type
1.Veritas Alta™ Solution for Sheltered Harbor
2.Veritas NetBackup™ Solution for Sheltered Harbor [1,2] [1 is default] : 2
===== License =====
Enter the Sheltered Harbor license file path:
===== Sheltered Harbor Monitoring Log Type =====
Enter monitoring log type for sending an attestation message
[1 is default] : 2
===== NetBackup Artifact Information =====
Enter the primary server policy: test_air_2
Enter the NetBackup apiKey path: /sharbor/netbackup_apiKey
===== KMS =====
Do you want to configure KMIP based KMS or Azure Key Vault ?
[KMIP, Azure] [KMIP is default] :
Enter the KMS server name: ekms.nbusec.vxindia.veritas.com
Enter the KMIP port [5696 is default]:
Enter the absolute path of certificate file: /sharbor/cert_chain.pem
Enter the absolute path of private key file: /sharbor/key.pem
Enter the absolute path of CA certificate file: /sharbor/cacerts.pem
Enter the envelope private encryption key ID: 3b13af97f70e4a3f8eff7bf

Enter the envelope public encryption key ID: 046952f1ed4244e49bc86a2f
Enter the envelope private sign key ID: 3b13af97f70e4a3f8eff7bfec7eeb
Enter the envelope public sign key ID: 046952f1ed4244e49bc86a2f73aa64
Configuration is saved successfully.
The requested operation is successfully completed.
Register institution
After configuration with the Sheltered Harbor solution, you must register the
institution with the Sheltered Harbor monitoring log.
Note: Ensure that you have configured the Sheltered Harbor solution before you
register the institution.
Use the following procedures to register the institution with the Sheltered Harbor
monitoring log.
Registration procedure
■ nbshvault --register
■ nbshvault --register [--config-dir config-dir-path]
2 Enter the institution ID, and registration ID (provided by the Sheltered Harbor).
The following example shows the register operation:
nbshvault --register
This operation generates private key and sends registration message
to the Sheltered Harbor monitoring log.
Do you want to continue? [y,n] (y) y
Enter the registration key provided by Sheltered Harbor:
Institution ID is already registered.
On successfully running the command, the following message is displayed on

the console:
Registration successful. Status: ‘Institution’ is

registered successfully. Please use the same public/private key for
attestation Message: On Boarding Created
Backup operation
Backup operation lets you back up the institution input data using interactive mode.
Use the following procedures to perform the operation.
Backup procedure
1 Run either of the following commands:
■ nbshvault -b | --backup
■ nbshvault -b | --backup [config-dir config-dir-path]
If you have provided the config-dir option during configuration, you should
use the the same option for the command as well.
2 Enter the Institution ID.
3 Enter the input storage path and transfer storage path.
Note: Use the --force option along with --backup when the backup JSON
file is provided to continue with backup even though attestation for the last
backup has failed.
The backup and attest command options cannot run in parallel as they process
the same set of files.
The following example shows the backup operation:
nbshvault -b
This command backs up the data as per the Sheltered Harbor
compliance specifications. Do you want to continue? [y,n] (y)
Enter the input storage path:
Enter the transfer storage path:
Restore operation
Restore operation in the Sheltered Harbor solution lets you decrypt the restored
data files to its original state. The restore operation can be done using the following
two methods:
■ Archive retrieval
Archive retrieval retrieves specified archive (encrypted volumes and a secure
envelope) to recovery storage using BAR GUI or NetBackup web UI.
■ Data restoration
Data restoration process decrypts data and validates integrity of restored files.
This can be done by restore operation using the interactive mode.
To perform restore operation, first you need to restore the data using the Backup
Archive Restore (BAR) GUI or web UI to the recovery storage location. You can
then perform the restore operation using the interactive mode.
Use the following procedure to perform the restore operation.
Restore procedure
■ nbshvault -r | --restore
■ nbshvault -r | --restore [--config-dir config-dir-path]
If you have provided the config-dir option during configuration, you should
use the same option in the command.
2 Enter the institution ID.
3 Enter the recovery storage path and restored data storage path.
The following example shows the restore operation:
nbshvault -r
This command performs data restoration as per the
Sheltered Harbor compliance specifications. Do you want to continue? [y,n] (y)
Enter the recovery storage path: /root/recovery_storage/
Enter the restored data storage path: /root/d4/
Attestation operation
The nbshvault --attest command option is used when the data vaulting to Veritas
Alta Recovery Vault and IRE is completed but it failed to send an attestation
message to the Sheltered Harbor monitoring log.
Use the following procedures to perform the attestation operation.
Attestation procedure
◆ Run either of the following commands on the command prompt to send the
attestation message to complete the backup operation:
■ nbshvault --attest
■ nbshvault --attest [config-dir config-dir-path]
The command nbshvault can be executed by non-root RBAC user by running it

along with 'nbcmdrun' command. Only non-interactive mode is supported when it
is executed using nbcmdrun command.
Refer to the NetBackup Command Reference Guide for more information about
nbcmdrun command.
Note: Run the nbshvault --report command option to fetch the backup keyword
for attestation.
The backup and attest command options cannot run in parallel as they process the
same set of files.
The following example shows the attest operation:
nbshvault --attest
Enter the institution ID: institution ID
Checking for any latest pending image for attestation
Skipping vaulting attestation as vaulting attestation is set to
false in input configuration JSON file.
Perform data vaulting using non-interactive mode

This section provides you the details on how to perform configuration, backup and
restore data vaulting operations using JSON files provided as an input. The
Non-interactive mode can be used only for automated daily data vaulting process.
To start the data vaulting operations using JSON files, you need to generate JSON
templates that provided as an input. To generate those JSON templates, refer the
following instruction:
To perform data vaulting using non-interactive mode
◆ Run the following command on the command prompt to generate JSON
templates:
■ nbshvault --generate-template -path <path>
Note: You must specify the path where you want to create the JSON file
templates and you have the required access to the path.
NetBackup Sheltered Harbor solution supports data vaulting by generating the

following JSON file templates:
■ config.json
■ backup.json
■ restore.json
Note: You must provide the correct JSON formatted file while performing the
data vaulting operation. If you are using Windows, you need to specify the
double backslash (\\) in the path.
For example: E:\\SH_Part2\\input_storge
Configuration operation
Configuration operation is performed using config.json. You have to manually
run the compliance solution with the configure option. It is a one-time activity. The
NetBackup Sheltered Harbor solution runs the daily vaulting process to backup and
restore (periodic or on demand) using already configured data.
The compliance solution stores the configuration locally on disk file and uses the
same during the backup or restore operations.
Configure the Sheltered Harbor solution using the JSON file as input:
Configure using non-interactive mode
◆ Run either of the following commands on the command prompt:
■ nbshvault --configure filename
■ nbshvault --configure filename [--config-dir config-dir-path]
If you have provided the config-dir option during configuration, you should use the
config-dir option in the command as well.
Note: To allow solution to use a well-known CA certificate while communicating

with Sheltered Harbor Monitoring log, Use value 'NA" for a key "ca_cert_path" in
input configuration JSON file.
On successful execution of the command, the Sheltered Harbor solution is

configured.
The following example shows the configure operation:
nbshvault --configure /root/config.json

Configuration is saved successfully.
The requested operation was successfully complete
Register Institution
After configuration with the Sheltered Harbor solution, you must register the
institution with the Sheltered Harbor monitoring log.
Note: Ensure that you have configured the Sheltered Harbor solution before you
register the institution.
Carry out the following step to perform backup operation to register the institution
with the Sheltered Harbor monitoring log
Register using non-interactive mode
◆ Run either of the following commands on the command prompt:
■ nbshvault --register -i institution _ID -reg-key
registration_key
■ nbshvault –register -i institution ID -reg-key registration

key [--config-dir config-dir-path]
This command option lets you provide the institution ID and registration key.
Once the command is run successfully, the institution is registered to the Sheltered
Harbor monitoring log
The following example shows the register operation:
nbshvault --register -i 021000100 -reg-key d176dab5706b34cb699eadd07f6b77

<Institution ID> is already registered
Backup Operation
A backup operation is performed using the backup.json file. The backup.json
file contains the information related to backup such as input storage path, and
transfer storage path.
Carry out the following step to perform backup operation
Backup using non-interactive mode
◆ Run either of the following commands to backup data to Veritas Alta Recovery
Vault:
■ nbshvault -b filename --force | --backup filename --force
■ nbshvault -b | --backup filename [--config-dir config-dir-path]

--force
Note: Use --force option along with --backup when provided Backup Json file, to
continue taking backup even if attestation for last backup is failed.
Note: The backup and attest command options cannot run in parallel as they
processes same set of files.
On successful execution of the command, the data is backed up on an immutable

storage.
The following example shows the backup operation:
nbshvault -b /root/NEW_TEMP/backup.json
Performing license validation.
License validation is successful.
No latest pending image found for attestation.
Started backup operation
Backup operation is successful.
The requested operation was successfully completed
Restore Operation
Restore operation in the NetBackup Sheltered Harbor solution lets you decrypt the
restored data files to its original state. The Restore operation cab be done using
the following two methods:
■ Archive retrieval
Archive retrieval retrieves specified archive (encrypted volumes and a secure
envelope) to recovery storage using BAR GUI or NetBackup web UI.
■ Data restoration
Data restoration process decrypts data and validates integrity of restored files.
This can be done by restore operation using the non-interactive mode.
A restore operation is performed using restore.json. The restore.json file contains
the information related to restore such as recovery storage path, and restored data
storage path.
To perform restore operation, you first need to download the data from the BAR
GUI and save it to the recovery storage location.
Carry out the following steps to perform restore operation.
Restore using non-interactive mode
◆ Run either of the following commands to restore the data:
■ nbshvault -r | --restore filename
■ nbshvault -r | --restore filename [--config-dir

config-dir-path]
On successful execution of the command, the data is restored to a restored data
storage path on your system.
The following example shows the restore operation:
nbshvault -r /root/NEW_TEMP/restore.json
Restore operation is successful.
The requested operation was successfully completed.
Attestation Operation
The nhshvault--attest command option is used when the data vaulting is
completed to Veritas Alta Recovery Vault but failed to send attestation message to
Sheltered Harbor monitoring log.
Use the following procedure to perform the attestation operation.
Attestation using non-interactive mode
◆ Run either of the following command on the command prompt to send the
attestation message to complete the backup operation:
■ nbshvault --attest [-k keyword] | [-i institution ID]
■ nbshvault --attest [-k keyword] | [-i institution ID]

[--config-dir config-dir-path]
Note: Run the nbshvault--reportcommand option to get the backup keyword for
attestation.
Note: The backup and attest command options cannot run in parallel as they
processes same set of files.
The following examples show how you can perform the attest operation either using
backup keyword or institution ID:
Example 1: Use backup keyword
About key management services (KMS)
nbshvault --attest -k keyword

Attesting pending image for the latest backup process
The requested operation was successfully completed.
Example 2: Use institution ID
nbshvault --attest -i institution ID

Attesting pending image for the latest backup process
The requested operation was successfully completed
About key management services (KMS)

The NetBackup Sheltered Harbor solution encrypts and decrypts the data encryption
key with the help of cloud KMS (CKMS) or on-premises KMS (KMIP based).
To start configuration with the NetBackup Sheltered Harbor solution, it is required
to configure cloud KMS or on-premises KMS. You need to create KMS key pair for
encryption, decryption, signing and sign verification.
Note: NetBackup KMS cannot be used for configuring the Sheltered Harbor solution.
The NetBackup Sheltered Harbor solution supports the following KMS:

■ CKMS: Supports the Azure key vault
■ EKMS: Supports Thales cipherTrust manager and utimaco ESKM
To know more about CKMS and EKMS, refer to EKMS document.
About configuration recovery in NetBackup

solution for Sheltered Harbor
It is recommended to take periodic backups of the NetBackup Sheltered Harbor
solution configuration present on NetBackup client. In case of a disaster, the
configuration can be recovered and used once the client is up and running. You
need to ensure that the periodic backup takes place on the specified directories
where the NetBackup Sheltered Harbor solution configuration is stored.
You need to run periodic backups on the following directories of NetBackup client
with the Sheltered Harbor solution:
Windows: InstallPath\var\nbshvault
Viewing operation details
UNIX: /usr/openv/var/nbshvault

To generate reports
Generate reports to view data vaulting operation details.
Run one of the following commands to show the report of past backup or restore
jobs:
■ nbshvault --report | --report -n
■ nbshvault --report | --report -n [--config-dir config-dir-path]
By default, it shows 10 records.
■ nbshvault –report -n number
This command option is recommended if you need to specify the number of records
you want to see at the end of the command.
The following table contains the information on the data vaulting operation reports:
Table 3-1 Reports
Field Description
Timestamp The time stamp in UTC format.
Institution The institution ID.

ID
Operation The operations to use, either backup or restore.
Backup The backup keyword that helps to search for specific backup files or folder that
Keyword are used at the time of recovery.
Step Shows the details of ongoing operation.
Step The record step status whether it is started, completed or failed for the ongoing
Status operations.
Completion The final operation status - failed or successful

Status
Table 3-1 Reports (continued)
Field Description
Backup The backup ID.

ID
Status The final message or exit code at the completion of the operation. If you
message encounter any error, the exit code message is displayed.
To run show-config operation

This section provides information on how to view the configuration option.
To view the configuration operation
◆ Run one of the following commands:
■ nbshvault --show-config -i institution ID
■ nbshvault --show-config -i institution ID

[--config-dir config-dir-path]
Chapter 4
Glossary
■ Glossary terms for Veritas Sheltered Harbor solutions
Glossary terms for Veritas Sheltered Harbor

solutions
The following are the terms used for NetBackup Sheltered Harbor solution:
Table 4-1 Glossary terms
Terms Definitions
Archive volume An encrypted file resulting from the encryption of the compressed volumes.
A set of archive volumes for the same financial entity and business date
constitutes an archive.
Archive A set of archive volume files containing encrypted account data files as
the financial entity stores the data securely in the data vault.
Archive The daily data vaulting process that generates the archive by compressing
generation and consolidating the account data files and corresponding hash files
into the set of compressed volume. The archive gets encrypted to yield
the archive volumes.
Archive A sub-process of the daily data vaulting process to securely store the
repository archive volumes and secure envelope in the data vault.
Attestation A daily message is sent to the monitoring log during vaulting attestation
message as a proof of a successful archive repository for the financial entity.
Cryptographic A set of cryptographic parameters used for validation and decryption of

material the archive volumes to restore the account data files during a NetBackup
Sheltered Harbor solution event.
Glossary 44
Glossary terms for Veritas Sheltered Harbor solutions
Table 4-1 Glossary terms (continued)
Terms Definitions
Data restoration The process of extraction of the account data files from the archive
volumes and validating the integrity of the extracted files.
Data vaulting A daily process of extracting the data from the originating institution and
storing in the immutable storage.
Encryption keys Encryption keys are created with algorithms designed to ensure that each
key is unique and unpredictable.
Immutable vault The property of the data vault, which guarantees that the content of the
vault cannot be erased or modified in any worse-case scenario.
Input data A set of files that is provided by the originating institution to the daily
process to perform archive generation and secure repository for a financial
Institution. The fileset that includes the manifest, account data files, and
corresponding hash files.

Veritas NetBackup102 Sheltered Harbor Solution Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Veritas NetBackup102 Sheltered Harbor Solution Guide

Uploaded by

Copyright:

Available Formats

Veritas Solution Guide for

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED

Veritas Technologies LLC

Worldwide (except Japan) CustomerCare@veritas.com

Veritas Services and Operations Readiness Tools (SORT)

Chapter 1 About Veritas Sheltered Harbor solutions .................... 6

Chapter 2 Prerequisites to configure Sheltered Harbor

Chapter 3 Veritas Sheltered Harbor solution workflow ............... 27

About configuration recovery in NetBackup solution for Sheltered

Chapter 4 Glossary ............................................................................... 43

Glossary terms for Veritas Sheltered Harbor solutions .......................... 43

■ About Sheltered Harbor

■ AboutS heltered Harbor solutions

■ Data vaulting in Sheltered Harbor solutions

■ About Veritas Alta solution for Sheltered Harbor

■ About Veritas NetBackup for Sheltered Harbor

■ Restore backup data using NetBackup web UI

About Sheltered Harbor

AboutS heltered Harbor solutions

Consequently, institutions that implement the NetBackup client properly should be

Data vaulting in Sheltered Harbor solutions

About Veritas Alta solution for Sheltered Harbor

The process flow is as follows:

Note: The Sheltered Harbor solution supports either VeritasAlta Recovery

Archive restoration using Veritas Alta Recovery Vault for Sheltered

Storage Medium (Hard

Backup Archive Bar 4

Cloud Provider KMS

Private / Public Keys

The process flow is as follows:

3 External or cloud provider KMS: The NetBackup Sheltered Harbor solution

About Veritas NetBackup for Sheltered Harbor

■ Enables predictable recovery processes that can be rehearsed to on-premises

Archive data vaulting to Air-gapped Cyber Resilient Domain (CRD)

Note: Sheltered Harbor solution requires outbound connections to be open from

The process flow is as follows:

Archive restoration in Cyber Resilient Domain

Figure 1-4 Archive restoration in Cyber Resilient Domain

The process flow is as follows:

Archive recovery in Cyber Resilient Domain (CRD) and restoration

Backup Archive Bar

The process flow is as follows:

Restore backup data using NetBackup web UI

■ Common prerequisites to configure Sheltered Harbor solutions

■ Prerequisites to configure Veritas Alta solution for Sheltered Harbor

■ Prerequisites to configure NetBackup solution for Sheltered Harbor

Common prerequisites to configure Sheltered

Table 2-1 Installation Overview

Step 1 Install the NetBackup primary server software on your system.

See NetBackup Installation Guide.

Table 2-1 Installation Overview (continued)

Step 2 Install the NetBackup media server software on your system.

See NetBackup Installation Guide.

Step 3 Install the NetBackup client software on your system.

See NetBackup Installation Guide.

Note: NetBackup version 10.2 is highly recommended for NetBackup primary,

KMS: Use either of the following KMS services:

Immutable cloud storage: An immutable cloud storage provider is required to support

■ Object Lock (Immutable storage): Yes

Prerequisites to configure Veritas Alta solution

Table 2-2 Configuration Overview

Step 1 To configure Veritas Alta Recovery Vault (formerly known as NetBackup

Prerequisites to configure NetBackup solution for

Table 2-3 Configuration Overview